IAS Security Hero

Revoking a subkey

If you only want to revoke one subkey, you need to follow a slightly different procedure. Start by making a backup of your keys in a secure place (this is your secret key of course).

$ gpg -a --export-secret-keys bepstein@ias.edu > bepstein_secret.asc
$ gpg -a --export bepstein@ias.edu > bepstein.asc

Next, edit your key and revoke the subkey you desire.

$ gpg --edit-key bepstein@ias.edu
[ultimate] (1). Brian Epstein <bepstein@ias.edu>
[ultimate] (2)  Brian Epstein <ep@epiary.org>
Command> 1
[ultimate] (1)* Brian Epstein <bepstein@ias.edu>
[ultimate] (2)  Brian Epstein <ep@epiary.org>
Command> revuid
Really revoke this user ID? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  4 = User ID is no longer valid
  Q = Cancel
(Probably you want to select 4 here)
Your decision? 4
Enter an optional description; end it with an empty line:
> bepstein@ias.edu is no longer a valid email address
>
Reason for revocation: User ID is no longer valid
bepstein@ias.edu is no longer a valid email address
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Brian Epstein <bepstein@ias.edu>"
1024-bit DSA key, ID 0371C12A, created 2006-09-22

pub  1024D/0371C12A  created: 2006-09-22  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/4E7A0E4E  created: 2006-09-22  expires: never       usage: E   
[ revoked] (1). Brian Epstein <bepstein@ias.edu>
[ultimate] (2)  Brian Epstein <ep@epiary.org>

Command> save
[2]ep:~$ gpg --export -a bepstein@ias.edu > bepstein_rev.asc

Now, you have your revoked subkey in a file. Now, you need to remove and re-import your keys. After all, you don't want to revoke your key now. Make sure not to send your key to the keyserver now or you will revoke your key.

[2]ep:~$ gpg --delete-secret-keys bepstein@ias.edu
[2]ep:~$ gpg --delete-keys bepstein@ias.edu
[2]ep:~$ gpg --import bepstein_secret_key.asc 
[2]ep:~$ gpg --import bepstein.asc 

Next you'll have to re-trust your keys.

[2]ep:~$ gpg --edit-key bepstein@ias.edu
Secret key is available.

pub  1024D/0371C12A  created: 2006-09-22  expires: never       usage: SC 
                     trust: unknown       validity: unknown
sub  2048g/4E7A0E4E  created: 2006-09-22  expires: never       usage: E  
[ unknown] (1). Brian Epstein <bepstein@ias.edu>
[ unknown] (2)  Brian Epstein <ep@epiary.org>
Command> 1

pub  1024D/0371C12A  created: 2006-09-22  expires: never       usage: SC 
                     trust: unknown       validity: unknown
sub  2048g/4E7A0E4E  created: 2006-09-22  expires: never       usage: E  
[ unknown] (1)* Brian Epstein <bepstein@ias.edu>
[ unknown] (2)  Brian Epstein <ep@epiary.org>
Command> 2

pub  1024D/0371C12A  created: 2006-09-22  expires: never       usage: SC 
                     trust: unknown       validity: unknown
sub  2048g/4E7A0E4E  created: 2006-09-22  expires: never       usage: E  
[ unknown] (1)* Brian Epstein <bepstein@ias.edu>
[ unknown] (2)* Brian Epstein <ep@epiary.org>

Command> trust
pub  1024D/0371C12A  created: 2006-09-22  expires: never       usage: SC 
                     trust: unknown       validity: unknown
sub  2048g/4E7A0E4E  created: 2006-09-22  expires: never       usage: E  
[ unknown] (1)* Brian Epstein <bepstein@ias.edu>
[ unknown] (2)* Brian Epstein <ep@epiary.org>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  1024D/0371C12A  created: 2006-09-22  expires: never       usage: SC 
                     trust: ultimate      validity: unknown
sub  2048g/4E7A0E4E  created: 2006-09-22  expires: never       usage: E  
[ unknown] (1)* Brian Epstein <bepstein@ias.edu>
[ unknown] (2)* Brian Epstein <ep@epiary.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

Command> 

Now you can send along your revocation key. Make sure to encrypt the email you send as your revocation key can be easily used to revoke your key. Also, take this opporunity to backup your secret key and revocation key in a secure place. Then securely wipe it from your harddrive.